Three new flaws were discovered in Microsoft
products that could allow a malicious user to cause havoc on your machine.
The flaws were discovered in SQL Server 2000, Microsoft Exchange Server, and
Metadirectory Services 2.2, and would allow a hacker to accomplish a variety
The most serious threat comes from the vulnerability in the SQL Server 2000
resolution service, which could enable code execution by an attacker.
The vulnerability was identified Wednesday by David Litchfield of Next
Generation Security Software Ltd.
SQL Server 2000 introduces the ability to host multiple instances of
SQL Server on a single physical machine. Each instance operates for all
intents and purposes as though it was a separate server.
The multiple instances, however, cannot all use the standard SQL Server
session port (TCP 1433). While the default instance listens on TCP port
1433, named instances listen on any port assigned to them. The SQL Server
Resolution Service, which operates on UDP port 1434, provides a way for
clients to query for the appropriate network endpoints to use for a
particular SQL Server instance.
By sending a carefully crafted packet to the Resolution Service, an attacker
could cause portions of system memory to be overwritten. Overwriting it with
random data would likely result in the failure of the SQL Server service,
while overwriting it with carefully selected data could allow the attacker
to run code in the security context of the SQL Server service.
The vulnerability also could allow for a denial of service attack
A hacker could cause a DoS by creating a keep-alive packet that, when sent
to the Resolution Service, would cause SQL Server 2000 to respond with the
same information. An attacker who created such a packet, spoofed the source
address so that it appeared to come from a one SQL Server 2000 system, and
sent it to a neighboring SQL Server 2000 system could cause the two systems
to enter a never-ending cycle of keep-alive packet exchanges.
A patch for the vulnerability is available here.
The second vulnerability, discovered by Internet Security Systems, effects
Microsoft Exchange Server v.5.5 Internet Mail Connector, which provides
Simple Mail Transfer Protocol
for remote attackers to formulate a request to trigger a buffer overflow on
a vulnerable Exchange server. This flaw may allow an attacker to either
crash Exchange and block all inbound and outbound e-mail delivery or allow an
attacker to gain complete control of the server.
Two major concerns regarding this vulnerability are the widespread
deployment of version 5.5 and the fact that successful exploitation of this
vulnerability can occur through properly configured firewalls.
A patch for the Exchange Server 5.5 vulnerability is available here.
The last vulnerability, discovered by Pascal Huijbers and Thomas de Klerk of
Info Support, appears to pose only a moderate threat. The vulnerability
occurs in Microsoft Metadirectory Services, a centralized metadirectory
service that provides connectivity, management, and interoperability
functions to help unify fragmented directory and database environments.
A flaw exists that could enable an unprivileged user to access and
manipulate data within MMS that should, by design, only be accessible to MMS
administrators. Specifically, it is possible for an unprivileged user to
connect to the MMS data repository via an LDAP client in such a way as to
bypass certain security checks. This could enable an attacker to modify data
within the MMS data repository, either for the purpose of changing the MMS
configuration or replicating bogus data to the other data repositories.
According to Microsoft’s security bulletin, an attack on MMS would be
extremely difficult. The bulletin notes that if normal security practices
have been followed, the vulnerability could not be exploited from the
Internet. In addition, the vulnerability could only be exploited by an
attacker who had significant technical expertise at a protocol level,
because the vulnerability does not provide access to MMS itself, but rather
to the MMS data repository. Determining what data to change, and how to
change it in order to cause a desired effect could be quite difficult.
The MMS vulnerability also appears to be only vulnerable to an attacker who
had insider knowledge about the specific enterprise, as a successful attack
would require a detailed understanding of the specific way MMS had been
configured, as well as information about all of the other directories and
database it was being used to manage.
A patch for the MMS vulnerability is available here.
The new vulnerabilities for Microsoft come in a year when the company’s software has
been plagued by various flaws. This year alone, the Redmond, Wash. giant has
acknowledged 39 vulnerabilities across their product line.